XSS cross-site scripting attack and Prevention

I. XSS Trojan attack simulation the following uses the dynamic network DVBBS Forum as an example to simulate detailed operations by attackers:
Step 1: Download the source code of the dynamic network DVBBS Forum from the Internet and configure it in IIS. Then open index. asp on the homepage of the Forum ",. Register a low-Permission user, enter a forum, click the "initiate vote" button on the page, and post a vote ,.



Step 2: Add a vote item on the "initiate a vote" page, and add the classic cross-site scripting attack code in the "Vote project" text box: <script> alert ('xsss ') </script> where the code is entered, it is a "voting item". In other places, attackers generally forge normal information ,.
Step 3: publish the voting post after the disguise is completed. In this case, the voting Post published by the attacker contains the XSS code. As long as the user accesses this post, it will launch XSS attacks. To test the effect, log out of the current user's logon and log in with the Administrator account to access this voting post ,. The standard XSS dialog box is displayed, indicating that the cross-site Attack Script constructed by the attacker is successful.

Ii. Procedure Analysis of XSS Elevation of Privilege attack instances
The specific operation steps for XSS Elevation of Privilege attacks are as follows: Step 1: Open the "index. asp" page on the IIS server to go to the "deep learning message board" system homepage ,. Click the "I want to leave a message" button at the top of the page to go to the "add a message" Page and enter content based on code analysis.

Step 2: Click the message button to submit the message content. When the Administrator logs on to the background again for management, select the "message board management" option in the left-side list. XSS can be directly triggered without clicking other content ,. Step 3: Select the "Website user management" option in the left-side Navigation Pane. In addition to the default administrator, a new Administrator named "duoduosixu" is added ,.




To prevent XSS attacks, take the following steps:
Step 1: Open IE and select Tools> Internet Options to bring up the Internet Options dialog box ,. Step 2: switch to the Security tab, select the Internet icon, and click the Custom Level button to bring up the Security Settings dialog box, customize the security level of the Internet ,. Step 3: Find the "script" area and set "activity script" to "disabled ".